[type1] Protect against invalid number of glyphs (#46029).

* src/type1/t1load.c (parse_charstrings): Check number of `CharStrings' dictionary entries against size of data stream.
2015-09-25 16:54:28 +02:00 · 2015-09-25 16:54:28 +02:00 · 2439c515a7
commit 2439c515a7
parent 5339c75ee6
2 changed files with 17 additions and 1 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2015-09-25  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Protect against invalid number of glyphs (#46029).
+
+	* src/type1/t1load.c (parse_charstrings): Check number of
+	`CharStrings' dictionary entries against size of data stream.
+
 2015-09-23  Werner Lemberg  <wl@gnu.org>

 	[sfnt] Better checks for invalid cmaps (2/2) (#46019).
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@ -1541,7 +1541,7 @@

    PSAux_Service  psaux        = (PSAux_Service)face->psaux;

-    FT_Byte*       cur;
+    FT_Byte*       cur          = parser->root.cursor;
    FT_Byte*       limit        = parser->root.limit;
    FT_Int         n, num_glyphs;
    FT_Int         notdef_index = 0;
@ -1555,6 +1555,15 @@
      goto Fail;
    }

+    /* we certainly need more than 8 bytes per glyph */
+    if ( num_glyphs > ( limit - cur ) >> 3 )
+    {
+      FT_TRACE0(( "parse_charstrings: adjusting number of glyphs"
+                  " (from %d to %d)\n",
+                  num_glyphs, ( limit - cur ) >> 3 ));
+      num_glyphs = ( limit - cur ) >> 3;
+    }
+
    /* some fonts like Optima-Oblique not only define the /CharStrings */
    /* array but access it also                                        */
    if ( num_glyphs == 0 || parser->root.error )